-1

In the Bitcoin protocol, the block header is hashed twice using SHA-256:

HASH1 = SHA256(header)
HASH2 = SHA256(hash1) The block header is 80 bytes long, and the nonce is located in the last 4 bytes (bytes 76 to 79). After the double SHA-256 operation, we get a final 32-byte HASH (HASH2), which is compared to the target.

My question is:

While converting this entire process into a Boolean formula using CNF (Conjunctive Normal Form), where exactly does the NONCE appear?

Especially, how does the NONCE influence the intermediate HASH (HASH1) and the final hash (HASH2) in CNF form?

Can we say the NONCE is "present" in any way in the intermediate HASH or final HASH?

I want to understand how the NONCE bits are represented in a SAT model of this double SHA-256 operation.

R_Jalaei
  • 515
  • 2
  • 12
PRAKASH CHANDRA
  • 9
  • 2

1 Answers1

1

where exactly does the NONCE appear?

That depends on the CNF equations. For those obtained using CGEN (then augmented for the second SHA-256 / third compression) as in an earlier question, the message is variables starting from 1, thus the nonce is variables 609 to 640 (from byte at offset 76 most significant bit to byte at offset 79 least significant bit).

How does the NONCE influence the intermediate HASH (HASH1) and the final hash (HASH2) in CNF form?

Very much. Essentially, each of these 32 nonce bits influences each of the 256 bits in these two hashes with probability near 50% (computed over the possible values of some of the other 639 message bits, or even just of the other 31 nonce bits). That generalizes from these 2×256 hash bits to a large portion (I guess like 65%) of the variables in the CNF, because these message bits propagate quickly to the last 2 out of 3 SHA-256 compression functions in the full CNF.

Can we say the NONCE is "present" in any way in the intermediate HASH or final HASH?

It's extremely unlikely (probability in the order of 2-193) that two different NONCE values generate the same intermediate HASH or final HASH, with all other 608 message bits fixed. Thus the NONCE is practically implied by the intermediate HASH or final HASH combined with the other other 608 message bits. Arguably we could use "present in" rather than "implied by" in the previous sentence.

Other than that, I don't see that we can say the NONCE is "present in" one of the two hashes.

fgrieu
  • 149,326
  • 13
  • 324
  • 622